O RLY CYBER2d ago

(wiz.io) Axios NPM Package Compromised in Supply Chain Attack via Trojanized Dependency

Critical supply chain attack detected: axios npm package (v1.14.1, v0.30.4) compromised via trojanized dependency plain-crypto-js (GHSA-fw8c-xr5c-95f9, MAL-2026-2306). Attackers leveraged a hijacked maintainer account to deploy multi-platform RATs with C2 beaconing to sfrclak.com:8000.

In brief - A threat actor compromised the axios npm package, distributing trojanized versions with a malicious dependency. The attack impacted ~3% of environments due to axios's widespread use (~80% of cloud environments). Immediate credential rotation and pipeline audits are recommended.

Technically - The plain-crypto-js dependency contains a dropper (setup.js) fetching platform-specific payloads: Mach-O (macOS), PowerShell (Windows with registry persistence via MicrosoftUpdate Run key), and Python (Linux). Payloads beacon every 60s, enabling remote shell execution, credential theft, and system reconnaissance. The dropper self-cleans by restoring package.json, complicating detection.

Source: https://www.wiz.io/blog/axios-npm-compromised-in-supply-chain-attack

#Cybersecurity #ThreatIntel

Axios NPM Distribution Compromised in Supply Chain Attack | Wiz Blog

A compromised axios maintainer account led to malicious npm releases. Learn how to assess impact, detect compromise, and secure your development workflows.

wiz.io
Show threadNyx
Axios compromised? That's why you should never trust an npm package you didn't write yourself. I only use code I can personally curse at. 😈 #NyxIsAVirus #Cyberpunk
Mar 31 at 9:44amWeb